Profiles, roles and permission sets work together to determine what Salesforce users can see and do inside Salesforce. I remember security & access was one of the toughest topics on the Salesforce Admin certification exam. There is no way around these concepts, as they are foundational to how Salesforce records are visible and editable. So, what are the differences between Salesforce Roles and Profiles?
While I was attempting to wrap my head around the differences between Salesforce roles and profiles, there was a simple mantra that I said to myself over and over again, and then took into the exam with me: “Roles see, profiles do”.
That is an oversimplification but it is the best way to start learning about profiles vs. roles in Salesforce. In this post, I will dive into the differences between the two concepts. Come with me as I take you on a journey into how Salesforce permissions work.
What is a Salesforce Profile?
Profiles control what users can do in your Salesforce org. This can be referred to as CRED:
- C = create
- R = read
- E = edit
- D = delete
You may want some users in your org to read and edit Leads, but not delete them. CRED enables you to mix and match what a specific user can do with each object.
See how this looks on a profile’s settings (found under the ‘Object Permissions’ section):
In addition to objects, profiles also control:
Each Salesforce user in your org has a profile. Profiles are designed to group users into functions, for example, ‘Sales’, ‘Support’ etc.
The most important profile in the org is ‘System Administrator’. Users in this profile have absolute access to do anything. In addition to CRED, they will have ‘View all’ and ‘Modify all’ selected for each object.
They will also have ultimate permissions, namely ‘Modify all data’, ‘Customize application’ that you would not want to give to any other users! (found under the ‘Administrative Permissions’ section).
What is a Salesforce Role? – and the Role Hierarchy
Let’s switch to thinking about roles, which control what users can see in your Salesforce org.
Roles are designed to increase data visibility, to open up access to Salesforce records. You will have a baseline visibility set for each object in your org, known as the ‘org wide default’ (organizational wide default, OWD). Examples of this could be:
- Opportunities are set to ‘Private’, which means that users can only see the opportunities they own.
- Accounts are set to ‘Public Read/Write’, so that any user can help to update account information.
You should know that there are defaults that are already set. I’m not going to dive into details on OWD right now, but I want you to remember the golden rule…
Golden rule: the ‘org wide default’ should be set to the most restrictive level. Salesforce permissions work by opening up access, not by locking them down. So, start with the strictest in mind.
There are two ways to increase data visibility via roles, essentially superseding (pushing past) the OWD:
- The Role Hierarchy
- Sharing Rules (read all about Sharing Rules here)
Salesforce Roles and Profiles
There’s some confusion when a Salesforce org is using both profiles and roles. They are designed to be used together – it is not an ‘either/or’ decision.
It may help to think in different shapes. Profiles are like circles, whereas roles are arranged into a hierarchy (when using the Role Hierarchy):
Profiles are like circles of users that share the same function, eg. ‘Marketing’, ‘System Admin’, ‘Sales’, ‘Support’. Roles are how users relate to each other in a hierarchy, eg. the ‘VP of Sales’ is above the Sales Managers in the role hierarchy:
Note: Sharing Rules are used to extend the Role Hierarchy, so that you are not restricted to the strict top-down sharing as laid out in the hierarchy – in other words, Sharing Rules can enable you to open up record visibility horizontally across the hierarchy.
Differences Between Profiles and Roles
|Determines what users can...||Do - create, read, edit, delete||See - record visibility|
|Required for each user?||✓||X - it’s optional|
|Imagine in the shape of:||Circles, grouping users with similar functions.||Hierarchy, that splits users with more authority from those with less.|
|Controls access to:||Objects, field-level security (which fields are visible or editable), page layouts, record types, apps, tabs.||Records, folders.|
What About Permission Sets? (Permission Sets vs. Profiles)
Once you have got to grips with profiles and roles, you have mastered a core Salesforce Admin concept that will serve you well. What about permission sets, then? Not another Salesforce data access concept! Fear not, I will explain the differences between profiles and permission sets quickly, and painlessly.
Permission sets could be considered add-ons for profiles. They offer flexibility in how you add certain permissions (objects, field-level security, page layouts, record types, apps, tabs) to certain users – almost like you are tagging an individual user. In order to grant a very specific ability to a user, you obviously don’t want to create a whole new profile just for that one difference between their abilities and the rest of their team’s!
Let’s take an example:
There is a sales team, who have the profile ‘Sales User’. Only Carole should be able to change the team’s email templates, so the Admin has created a Permission Set called ‘Modify Email Templates’ which she has added to Carole’s user record.
Permission sets are visible from the related list on the user’s record:
Permission sets can simply be added and removed, from ‘Available Permission Sets’ to ‘Enabled Permission Sets’ – as shown below:
You should also be aware of Permission Set Groups. These were new in the Spring ‘20 release, created to revolutionize how Admins can organize org permissions, allowing Permission Sets to be grouped together and assigned to users. Read more about Permission Set Groups.
Profiles, roles and Permission sets work together to determine what Salesforce users can see and do inside Salesforce. These concepts are foundational to how Salesforce records are visible and editable, and is absolutely essential knowledge in order to become a Salesforce Admin.
Now you know the differences between a Salesforce Role and Profile, plus how Permission sets come into the picture. There’s some confusion when a Salesforce org is using both profiles and roles. They are designed to be used together – it is not an ‘either/or’ decision.
Just remember the simple mantra: “Roles see, profiles do” if you’re ever in doubt.